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Abstract Constraint automata are an adaptation of Biichi-automata 
that process data words where the data comes from some relational 
structure 6. Every transition of such an automaton comes with constraints 
in terms of the relations of ©. A transition can only be fired if the current 
and the next data values satisfy all constraints of this transition. These 
automata have been used in the setting where © is a linear order for 
deciding constraint LTL with constraints over 6. In this paper, 6 is the 
infinitely branching infinite order tree T. We provide a P SPACE algorithm 
for emptiness of T-constraint automata. This result implies PSPACE- 
completeness of the satisfiability and the model checking problem for 
constraint LTL with constraints over T. 


1 Introduction 


Temporal logics like LTL or CTL* are nowadays standard languages for specifying 
system properties in verification. These logics are interpreted over node labelled 
graphs, where the node labels (also called atomic propositions) represent abstract 
properties of a system (for instance, a computer program). Clearly, such an 
abstracted system state does not in general contain all the information of the 
original system state. This may lead to incorrect results in model checking. 

In order to overcome this weakness, extensions of temporal logics by atomic 
(local) constraints over some structure 21 have been proposed (cf. |7ll0p . For 
instance, LTL with local constraints is evaluated over infinite words where the 
letters are tuples over 21 of a fixed size. For instance, for 21 = (Z, <), this logic is 
standard LTL where atomic propositions are replaced by atomic constraints of 
the form < X^Xk- This constraint is satisfied by a path tt if the j-th element 
of the i-th letter of tt is less than the A:-th element of the l-th letter of tt. 

While temporal logics with integer constraints are suitable to reason about pro¬ 
grams manipulating counters, reasoning about systems manipulating pushdowns 
requires constraints over words over a fixed alphabet and the prefix relation (which 
is equivalent to constraints over an infinite fc-ary tree with descendant/ancestor 
relations). There are numerous investigations on satisfiability and model checking 
for temporal logics with constraints over the integers (cf. |7l2ll0ll2l3l4j L Con¬ 
trary, temporal logics with constraints over trees have not yet been investigated 
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much, although questions concerning decidability of the satisfiability problem 
for LTL or CTL* with such constraints have been asked for instance in mm. A 
first (negative) result by Carapelle et al. shows that a technique developed in 
m for satisfiability results of branching-time logics (like CTL* or ECTL*) with 
integer constraints cannot be used to resolve the satisfiability status of temporal 
logics with constraints over trees. 

Our goal is to show that satisfiability of LTL with constraints over the tree is 
decidable. At first, we analyse the emptiness problem of T-constraint automata 
(cf. |12I9] 1 where T is the infinitely branching infinite tree with prefix relation. 
These automata are Biichi-automata that process (multi-)data words where the 
data values are elements of T where applicability of transitions depends on the 
order of the data values at the current and the next position. Our technical main 
result shows that emptiness for these automata is PSPACE-complete. Having 
obtained an algorithm for the emptiness problem, we can easily provide algorithms 
for the satisfiability and model checking problems for LTL with constraints over 
T. We exactly mimic the automata based algorithms for standard LTL of Vardi 
and Wolper [13] noting that the constraints in the transitions are exactly what is 
needed to deal with the atomic constraints in the local constraint version of LTL. 
It follows directly that satisfiability of LTL with constraints over T and model 
checking models defined by constraint automata against LTL with constraints 
over T is PSPACE-complete. 

Finally, we extend our results to the case of constraints over the infinite fc-ary 
tree for every /c S N by providing a reduction to LTL with constraints over T. 
Thus, satisfiability and model checking for LTL with constraints over the infinite 
fc-ary tree is also in PSPACE. 

Upon finishing our paper, we have become aware that Demri and Deters 
(abbreviated DD in the following) have submitted a paper [Sj that shows above 
mentioned results on satisfiability using a reduction of constraints over trees 
to constraints over the integers. Even though the main results of both papers 
coincide, there are major differences. 

1. DD’s result extends to satisfiability of the corresponding version of CTL*, 
but DD do not consider the model checking problem. 

2. DD’s result holds even if the logic is enriched by length constraints that 
compare the lengths of the interpretations of variables. Since our approach 
abstracts away the concrete length of words, we cannot reprove this result. On 
the other hand, we can enrich the logic with constraints using the lexicographic 
order on the tree as well. DD’s approach can not deal with this order. Thus, 
the logic in each paper is incomparable to the logic of the other. 

3. DD conjecture that (branching-degree) uniform satisfiability problem is in 
PSPACE. This problem asks, given a formula and a/c€NU{oo} whether 
there is a model with values in the fc-ary infinite tree that satishes the formula. 
We confirm DD’s conjecture. 

4. Finally, our proof is self-contained. In contrast, DD’s proof seems to be 
more elegant and less technical, but this comes at the cost of relying on the 
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decidability result for satisfiability of LTL with constraints over the integers 

[3], which is again quite technical to prove 

Our result leaves open several further research directions. Firstly, DD’s result 
on CTL* with constraints over trees does not yield any reasonable complexity 
bound because the complexity of their algorithm relies on the results of Bojahczyk 
and Toruhczyk PQ on weak monadic second order logic with the unbounding 
quantifier. Thus, without any progresses concerning the complexity of this logic, 
DD’s approach cannot be used to obtain better bounds. In contrast, the concept 
of T-constraint automata can be easily lifted to a T-constraint tree-automaton 
model. Complexity bounds on the emptiness problem for this model would 
directly imply bounds on the satisfiability for CTL* with constraints over T. 
Thus, investigating whether our approach transfers to a result on the emptiness 
problem of T-constraint tree-automata might be a fruitful approach. Secondly, it 
may be possible to lift our results to the global model checking problem similar to 
the work of Bozelli and Pinchinat [3| on LTL with constraints over the integers. 
Finally, it is a very challenging task to decide whether DD’s result and our result 
can be unified to a result on LTL with constraints over the tree with prefix order, 
lexicographic order and length-comparisons (of maximal common prefixes). 


2 Model Checking LTL with Constraints over Trees 

We first introduce LTL({ C, S }), a variant of LTL with local constraints. A 
model of a formula of this logic is a (multi-) data word where the data comes 
from some { ^, E, S' }-structure. We are particularly interested in the case where 
this structure is an order tree with lexicographic order C- We want to adjust the 
automata-based model checking methods for LTL to this setting. For this purpose 
we then recall the definition of tree-constraint automata. The technical core of this 
paper shows that emptiness of tree-constraint automata is PSPACE-complete. 
Before we delve into this technical part, we prove that satisfiability and model 
checking for LTL({ Ei Ej S }) formulas with constraints over the full infinitely 
branching tree are in PSPACE due to a reduction to the emptiness problem 
of tree-constraint automata. We conclude this section by providing a reduction 
of satisfiability and model checking for LTL({ E, E, S'}) with constraints over 
the full tree of branching degree k to the corresponding problem over the full 
infinitely branching tree. 


2.1 LTL with Constraints 

Constraint LTL over signature { =, E, E) si, S 2 , • ■ • > Sm } where S = { si,..., Sm } 
is a set of constant symbols, abbreviated LTL({ Ei Ej S }), is given by the grammar 

cj) ::= X‘xi * s I s * X^xi \ X^xi * X^X 2 \ \ {(j> A (j)) \ Xcj) \ (j>Ui; \ G(j> 

^ In fact, our proof can be easily adapted to reprove this result. 
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where * € { E }, *, j are natural numbers, Xi, X 2 are variables from some 
countable fixed set V and s G S' is a constant symbol. Given a structure 21 = 
{A, C* sf, sf,..., s^), an n-dimensional data word over 21 is a sequence 
(ai)igN with di G A'^. We evaluate a formula 4> (where xi,... ,Xn G V are the 
variables occurring in cf)) on n-dimensional data words (ai)igN- We write for 
the j-th component of di. We say (ai)igN is a model of (j), denoted as (ai)igN \= (t>j 
if the usual conditions for LTL hold, and the following additional rules apply for 

- (aj)jeN h * (X^xi) if and only if 21 |= a( * o^, 

“ (ai)iGN \= (X^cc;) * Sj (or Sj * {X^xi), resp.) if and only if 21 ^ a( * Sj (or 
i^\= Sj * a\, respectively). 

Note that our constraint LTL does not use atomic propositions. On nontrivial 
structures, proposition p can be resembled by constraints of the form Xp^ = Xp^. 

As for usual LTL one defines dual operators. Then every formula has an 
equivalent negation normal form where negation only appears in front of atomic 
constraints ((X'^i) ^ (X^X 2 ), s E X*a; or X*x E s). Using that A”(A®Xfc * 
X^xe) = A*+"a;fc * and by introducing auxiliary variables, it is also easy 

to eliminate exponents in terms: 

Proposition 1. There is a polynomial time algorithm that computes, on input a 
LTL({ E) S })-formula (j) an equivalent LTL({ E, S })-formula tp such that 
Ip does not contain terms of the form X^x with i > 2. 

We want to investigate LTL({ E) Ej •S'}) in the cases where the structure 21 is 
one of the following order trees. For each k G {2,3,4,...}, let 

= (Q*,^,E ci,C 2 ,...,Cm) and = ({1,2,..., fc}*, E, ci, Cm) 

where E is the prefix order, E is the lexicographic order defined by ru E if 
either w ^ v or there are qi,q 2 G Q such that (u> □ v)qi :< w, (ti; □ v)q 2 E v and 
qi < q 2 , where < is the natural order on Q and n denotes the (binary) greatest 
common prefix operator, and C = (ci, C 2 ,... Cm) is a tuple of constants in Q* or 
{ 1, 2,..., fc }*, respectively. 

2.2 Constraint Automata 

In the following, we investigate the satisfiability and model checking problems 
for LTLd^jE,*?}) over models with data values in one of the trees for 
k G { oo, 2, 3,4,... }. We follow closely the automata theoretic approach of Vardi 
and Wolper m which provides a reduction of model checking for LTL to the 
emptiness problem of Biichi automata. In order to deal with the constraints, 
we use -eonstraint automata (cf. [T2]) instead of Biichi automata. Next we 
recall the definition of constraint automata and state our main result concerning 
emptiness of constraint automata. We then derive analogous results of Vardi 
and Wolper’s decidability results on LTL for LTL({ E, S })with constraints 
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over A -constraint automaton is defined as a usual Biichi automaton but 
instead of labelling transitions by some letter from a finite alphabet we label 
them by Boolean combinations of constraints which the current and the next 
data values have to satisfy in order to apply the transition. 

Definition 2. — An n-dimensional T^-constraint automaton is a quadruple 

A = {Q,I,F,5) where Q is a finite set of states, ICQ the initial states, 
F C Q the set of accepting states and S C Q x x Q the transition relation 
where is the set of all quantifier-free formulas over signature { ^, fy } U C 
with variables xi,..., Xn, yi,..., Pn, i-S., propositional logie formulas with 
atomic formulas v*v', with * G {=, C} and v, v' are variables or constants. 

— A configuration of the automaton A is a tuple in Q x ({ 1,2,..., fc }*)") (or 
(Q*)” ifk = oo). 

— We define {q, w) —>■ (p, v) iff there is a transition {q, l3{xi,... Xn, pi,..., yn),p) 
such that fy fi{w,v). 

— A run of A is a finite or infinite sequence of eonfigurations r = (cj)j^j 
(J CN an interval) such that cj —>■ cj+i for all j,j + 1 G J. For a finite run 
T = {ci)ii<i<i 2 fy < fy G N we say r is a run from to 

— A run r = (ci)igN is accepting if cq = {q,di,..., dn) for an initial state q G I 
and a final state f G F appears in infinitely many configurations of r. 

— The set of all words accepted by A eomprises all wiW 2 • • • G ((Q*)")‘^ (or 
({1,..., fc})”)‘^ if k oo) such that there is an accepting infinite run (ci)igN 
with Cj = {qi, Wi). 

In the following sections (see Theorem we prove that emptiness of n- 
dimensional T^-constraint automata is PSPACE-complete in terms of |Q| + |(7| + 
fc + m where m is the length of the longest constant occurring in C. We next 
apply this result in order to obtain PSPACE-completeness of satisfiability and 
model checking. 

2.3 Satisfiability and Model Checking of Constraint LTL 

Definition 3. Let k G { oo, 2,3,4,... }. 

SAT(T^) denotes the satisfiability problem /or LTL({ C, S'}) over : 
given a set of constants C and a LTL({ C, S })-formula p, is there a data word 
over such that \= T? 

MC(T^) denotes the model checking problem for T^-constraint automata 
against LTL({ E, S }); given a set of constants C, a -constraint automaton A 
and a LTL({ E, E, S })-formula (p, is there a data word over accepted 

by A such that {wi)i^n |= 

Theorem 4. Let k G {oo,2,3,4,...} and C a set of eonstants. SAT(T^) and 
MC(T^) are PSPACE-complete. 

Proof. Since there is an automaton accepting all data words, the satisfiability 
problem reduces to the model checking problem whence it suffices to prove the 
claim on model checking. Hardness follows directly from the known results for 
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LTL. We first prove MC(T^) S PSPACE and then we provide a reduction of 
MCCI^) to MC(‘r^) for all other k. 

Case k — oo. Let C C Q* be a finite set of constants, A a ‘X^-constraint 
automaton and ip £ LTL({ E, S'}). Due to Propositionwe can assume that 
all atomic constraints occurring in (p only concern the current and the next data 
values. Recall that Vardi and Wolper m provided a translation from LTL to 
Biichi automata such that the resulting automaton accepts some word if and 
only if it is a model of the formula. 

This translation directly lifts to a translation of LTL({ E, E, 5'}) over Too 
to Too-constraint automata. As in the standard construction, each state of the 
automaton is a subset of (the negation closure of) the set of subformulas of 
the LTL({ E, E, <5'})-formula. Intuitively, an accepting run of the automaton on 
{wi)i^fi is at position io in a state containing some subformula ip if and only 
if {wi)i>ig ^ Ip. Obviously the dependence of the transitions of a constraint 
automaton on the order of the current and next data values is exactly what is 
needed to allow the automaton to switch from one state to another only if the 
(possibly negated) atomic constraints contained in the current state are satisfied 
by the current and the next data values. 

Thus, we obtain a constraint automaton B such that B accepts (wi)*^^ if a-nd 
only if (uji)igN H A- Since the usual product construction for Biichi automata 
lifts also to constraint automata, we easily construct in polynomial space an 
automaton C such that C accepts a word if and only if both A and B accept 
this word. Thus, the set of all words accepted by C is non-empty if and only if 
there is a data word (wi)^^^ such that A accepts (wi)^^^ and \= ip. Since 

emptiness is in PSPACE the claim follows. 

Case k ^ oo. Now we turn to the case T}? where k ^ oo. Let Ci be the set of 
E-maximal elements of C, and let p and A as before. Without loss of generality we 
can assume that Ci intersects every infinite branch in { 1, 2,..., /c }‘^(If not, add ci 
as a new constant for every c in the prefix-closure of C and i S { 1, 2,..., A:}, which 
only causes a polynomial growth of the input). We claim that (C, A, p) is a positive 
instance of MC(T}(') if and only if {C,A,ip) is a positive instance of MC(T^) 
where A is seen as a -automaton and ip = p A G Ar=i VcGC,(a^i ^cVc^Xi) 
where xi,X 2 ,... ,Xn is the set of variables occurring in the constraints of p. 
Basically, ip is p with the additional condition that the data values occurring in 
a model form a tree of branching degree k at all constants. It is clear that every 
witness (■i(}i)igN for the former model checking problem is a witness for the latter. 

For the converse assume that (itii)^^^ is a data word over Too accepted by 
A satisfying ip. Note that there is an injective map g : Q* —>■ { 1, 2 }* preserving 
E and E in both directions (cf. Appendix . Moreover, by definition of ip we 
conclude that every value occurring in (ftii)^^^ is either a prefix of one of the 
constants or of the form cqiq 2 ■. ■ q-n for some maximal constant c £ Ci. Thus, 
we can define Vi = ..., a") where = wl H wl E c for some c £ Ci and 

vf = cg{u) if wj = cu for some c £ Ci and e. Clearly (hi)igN is a data word 
over Tfc. Since g preserves E, E and all constants, it is a model of ip accepted by 
A whence it is also a model oi p. □ 
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Remark 5. Demri and Deter [5] conjectured that if the arity k of the tree is part 
of the input to the satisfiability problem, it is still in PSPACE. Our proof confirms 
that this branching degree uniform satisfiability problem is PSPACE-complete. 

3 Emptiness of Tree Constraint Automata 

Recall that every nonempty Biichi automaton has an accepting run which is 
ultimately periodic. We first prove that a nonempty constraint automaton has an 
accepting run which ultimately consists of loops that never contract the distances 
of data values and keep the order type of the data values constant. We then define 
the notion of the type of a run. It turns out that such a non-contracting loop 
exists if and only if the automaton has a run realising a type among a certain 
set. Finally, we provide a PSPACE-algorithm that checks whether an automaton 
realises a given type. Putting all these together yields our main technical result. 

Theorem 6. Emptiness of constraint automata is in PSPACE. 

3.1 Emptiness and Stretching Loops 

We first introduce some notation before defining our notion of stretching loop 
and characterising emptiness in terms of stretching loops. 

From now on a word is always an element of Q*, H (□) denotes the (bin¬ 
ary) greatest common prefix operator, and we fix a finite tuple of words C = 
(ci, C 2 ,..., Cm) called constants. We assume that C is closed under prefixes. 
Note that closing C under prefixes results only in polynomial growth. 

Definition 7. Let si,... he constant symbols and cr = { ^, C, si, S 2 , ■ ■ ■, Sn }. 
Given a tuple w = (wi, W 2 , ■ ■ ■, w„) of words, the maximal common ancestor tree 
of w is the a-structure 

MCAT(w;) = (M, ^ \m^,^ \m^,Wi,W 2, ■ ■ ■ ,Wn), 

where Wi is the interpretation of constant symbol Si and 

M = { e } U { Hie/ Wi I 0 7 ^ / C { 1, 2,..., n } } . 

The (order) type typ(t()) of w is the a-isomorphism type o/MCAT(w). We set 
MCATc(w) := MCAT(t(},C') and typ( 7 (w) := typ(w, C). 

Labelling the words from w by constant symbols has the following consequence: if 
typ( 7 (w) = typf;(u) for w = {wi,W 2 , ■ ■ ■, Wn) then there is a unique isomorphism 
h from MCATc(w) to MCATc(n) which maps c i—>■ c for every c G C and Wi —>■ Vi 
for Wi the i-th element of w and Vi the Ath element of v. 

Definition 8. For n G N we define a relation <c on configurations from 
Q X (Q*)" by {q,w) <c {p,v) if q = P, typc(w) = typ( 7 (i;) and the induced 
isomorphism h : MCATc(w) —> MCATc(h) satisfies for all d,e G MCATc(w) if 
d < e then \h{e)\ — |/i(d)| > |e| — |d|. 
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Intuitively, {q,'w) <c {q,v) holds if both data tuples have the same order type 
and the lengths of intervals in MCATc(h) seen as a subtree of Q* are greater 
than the lengths of the corresponding intervals in MCATc(ui). In the following 
sections, we make extensive use of the following properties of <c- 

Lemma 9. I. <c is a well-quasi order. 

2. The (inverse) transition relation —> (^~^) is strongly upwards compatible 
with respect to <c in the sense of m, i-e-, if u ^ V (u ^ v) and u <c u', 
then there is a v' such that v <c v' and u' —> v' (u' — v'). 

3. Given two configurations {qjw) and {q,v) such that typ(; 7 (u)) = typ^(w) then 
there is a configuration {q,u) such that {q,w) <c {q,u) and {q,v) <c iq,u). 

Definition 10. A loop is a finite run r = (ci)i<n with cg = (q,w), Cn = {q,v) 
and typ(^(ui) = typ(^(u). We say that a loop r = {ci)i<n is stretching if cg <c Cn- 

Lemma 11. Let A be a constraint automaton. A has an accepting run if and 
only if there are partial runs ri, r 2 where ri starts in an initial configuration 
and ends in some configuration c whose state is a final state, and where r 2 is a 
stretching loop starting in c. 

Proof. (^). Let r = (ci)igN be an accepting run. Since r contains infinitely many 
configurations with a final state and <c is a wqo, we can find numbers ni < n 2 
such that Cm <c Cn^ whence (c„)„<„j, (c„)„j <„<„2 are the desired runs. 

(<^=). Assume ri is a run from some initial configuration to ci whose state is a 
final state f € F and r 2 is a stretching loop starting in ci and ending in C 2 . Since 
Cl <c C 2 , iterated use of strong upwards compatibility (Lemma yields runs 
ri from Ci_i to Ci such that Ci_i <c Ci for all i > 3. Clearly, the composition of 
Cl, ^ 2 , ra, r 4 ,... is an accepting run. □ 

3.2 Stretching Loops and Types of Runs 

Definition 12. Let r = (ci)o<i<n be a finite run, with cg = {q,w) and c„ = 
{p,v). Setting tt = typQ(w,v), we say r has type typ(r) = {q,T:,p). 

Definition 13. Let w,v be k-tuples of words such that typ^(it;) = typ(^(i;) and 
let h be the induced isomorphism from MCATc(i(;) to MCATc<(u). (w, v) is called 
contracting if one of the following holds. 

1. There is some d G MCATc'(iZi) such that h{d) -< d. 

2. There are d,e G MCATc(uj) such that d e, h{e) = e and d -< h{d). 

We call a loop r from {q, w) to {q, v) contracting if {w, v) is contracting. Otherwise, 
we call it (and its type) noncontracting. 

Remark Ij). The type of a loop determines whether it is noncontracting. Let us 
explain the term ‘contracting’. Fix a loop from {q,w) to {q,v). The isomorphism 
h : MCATc(u') —t MCATc(u) relates for every pair ^ fljeL 

interval (TlkeK the interval (flfeGif Hiei% definition, 
for every contracting loop there is a pair (K, L) such that ( setting nfcG0 = e) 

8 


The technical core of this section shows that if an automaton admits a 
noncontracting loop then it admits a stretching loop with the same initial and 
final state. This allows to rephrase the conditions from Lemma in terms of 
types. The proof of this claim requires some definitions and preparatory lemmas. 


Definition 15. Let u be a word and m G N. We define the insertion of an m-gap 

at u to be C : Q* ^ Q* given by ifffw) = < ^ 

I m) V ij w = uv. 

Given a finite run r, the sequence t™(r) obtained by applying to each data 
value of r is the run obtained by insertion of an m-gap at m in r. 


For r = {ci)i(zi and r' = {di)i^i we write r <c r' if a <c di for all z G /. Note 
that the insertion of a gap preserves C and □ in both directions. 

Lemma 16. Given a run r and a word u such that u is not a prefix of any 
constant. The sequence ifffr) is indeed a run r' of the same type and r <c r'. 

Let w,v G Q*. We say w is incomparable left of z; if w C z; and w v. In the 
same situation we call v incomparable right of w. 

Lemma 17. Let w,v be k-tuples with typ(zz}) = typ(z;). If Wi is incomparable 
left (right) of Vi and Vi ^ wj, then Wj is incomparable left (right) of Vj and 
incomparable right (left) of Wi. 


Proof. By type equality, we have that Vi is incomparable left of vj, whence the 
same holds for its descendant Wj. From Wi Q Vi ^ Wj follows Wi C Wj, and 
Wi Wj as Wi Vi. □ 

Proposition 18. Let r be a noncontracting loop. There is a stretching loop r' 
such that r <c r'. 

Proof. Let r from {q, w) to ( 9 , v) be a noncontracting loop and h : MCATc(zz;) —> 
MCATc(z;) the induced isomorphism. We iteratively define a sequence r = rg <c 
<c ■ ■ ■ 'Tn of runs until is stretching. 

We call a pair (zzi,zz 2 ) G MCATc(zI;)^ problematic (with respect to r) if 
zzi ^ U 2 and |zz 2 | — |zz,i| > \h{u 2 )\ — |/i(zzi)|. Recall that in this case U 2 and h{u 2 ) 
are not prefix of any constant c from C because h fixes all such elements. Let Pr 
be the set of all problematic pairs. We split the set of all problematic pairs into 
three parts, which we handle separately (cf. Figurefor an example). Let 


Lr = { (zZl,Zi 2 ) G Pr 
Rr = { (zzi,zi 2 ) G Pr 
T>r = { {ui,U2) G Pr 


U 2 incomparable left of h{u 2 ) } , 

U 2 incomparable right of h{u 2 ) } , and 
U 2 comparable to h{u 2 ) } . 


L-Step: If Lr is nonempty, choose the C-minimal U 2 such that there is zzi with 
(zzi, ZZ 2 ) G Lr. Now fix zzi such that (zti, U 2 ) G Lr and d := (|zz 2 | — |zz,i|) — (|/i(zz, 2 )| — 
|/i(z(i)|) is maximal. Let l = ('^^ 12 ) insertion of a d gap at h{u 2 ) and r' = i(r). 
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Figure 1 . Example for Proposition]^ In the first tree (ui, «2) is problematic , insertion 
of a gap (D-Step) at h{u2) makes (the pair corresponding to) (*1,0:2) problematic; 
insertion of a gap (L-Step) at h{x2) makes (j/1,1/2) problematic; insertion of a gap 
(L-Step) at h{y2) makes the tree stretching. 

Denote by l{w) {i{v)) the data values of the first (last, respectively) configuration 
of r'. Let h' : MCATc(t('u:)) —>■ MCATc(t(w)) be the corresponding isomorphism. 
By definition the set = { (xi,X2) S I X2 incomparable left of h'{X2) } does 
not contain a pair {u,l{u2)) for any u G MCATc'(t(tc)). Nevertheless, r' may 
admit problematic pairs that are not problematic with respect to r. This can 
happen if there are xi,X2 G MCATc'(tc) such that xi -< h{u2) ^ X2 holds, but 
h{xi) -< h{u2) ^ h{x2) does not. Then, the distance between t(a:i) and (.(*2) is 
greater than the distance between xi and *2 (by d). On the other hand, either 
both or none of h'{L{xi)) and h'{L{x2)) are shifted by the insertion of the gap 
whence their distance is equal to the distance of h{xi) and h{x2)- 

In this case, possibly (t(a;i), 6(2:2)) is problematic w.r.t. r' while (a;i,a;2) 
is not problematic w.r.t r. Application of Lemma | 17 | shows that then X2 is 
incomparable left of h{x2) and U2 is incomparable left of *2 whence the same holds 
for L{x2),h'{ l{x 2)) = i{h{x2)) and i{u2)- Thus, if (6(2:1), 6(2:2)) is problematic, 
then (6(2:1), 6(2:2) £ Lr' and 6(122) is strictly incomparable left of 6(2:2). 

Thus, iteration of this step only creates problematic pairs that are more and 
more to the right with respect to typQ{wn) = Since typ(;;(' 6 (;„) is 

finite, we eventually do not introduce new problematic pairs and obtain a run 
such that = 0 and r <c Ti because results from insertion of several gaps 
in r. 

R-Step: If Rr ^ 0 , proceed as in (L-Step) all “left” and “right”. 

D-Step: If Lr = = 0 and r is not stretching, then ^ 0 . Choose U2 

C-minimal in MCAT(u}) such that there is some ui with (221,162) G Dr and 
choose Ml ^ 222 in MCATc(2c) such that d := (I222I — |22i|) — (|/2(26i)| — \h(u2)\) is 
maximal. Since r is not contracting we have 222 ^ 11(222) and 221 ^ hiui). Assume 
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U2 = h{u2)i then ui -< h{ui) as {ui,U2) S D. This contradicts that r is not 
contracting. Thus U2 -< h{u2)- Again, let l = and r' = b{r). 

Define t{v) and h' as in the L-step. Again there may be a pair {xi,X 2 ) 
which is not problematic with respect to r while (i(xi), b{x2)) is problematic with 
respect to r' . If Rr' or are nonempty, we can deal with those problematic 
intervals using R- or L-steps. This finally leads to a run rj with = Lj.- = 0 . 
Moreover, for every pair (xi,X2) such that this pair is not problematic with 
respect to r but (t(a;i), b{x 2 )) is problematic with respect to r', we conclude that 
X2 is strictly below U2 whence l(x2) is strictly below l{u2) w.r.t. ri- Thus, the 
endpoints of problematic pairs move downwards (in typ(;;('i(), zi) = typ(;;;(z(}', a')) 
and eventually all problematic pairs are removed. Once Vj is a loop without 
problematic pair, it is stretching. □ 


Corollary 19. The set of words accepted by an automaton A is nonempty if 
and only if there are runs ri r 2 such that r 2 is a noncontracting loop starting 
in configuration (/, w) where f is a final state and ri is a run from an initial 
configuration to some configuration (/, a) such that typ(^('i(;) = typ^(i;). 


Proof. Due to Lemma 11 only (<^) requires a proof. Assume that there are runs 


ri, r2 as stated above. By Lemma[^ there is a run r2 <c ^'2 such that (/, v) <c cq 
for Co the initial configuration of r^. Note that is also noncontracting whence 
by Proposition 18 there is a stretching loop r'f such that <c x'f. Hence this 
loop starts in some configuration ci such that (/, a) <c Ci. Applying Lemma 
to ri and C2 we obtain a run from an initial configuration to C2. Thus, and 
r'f match the conditions of Lemma 11 which completes the proof. □ 


3.3 Emptiness and Computation of Types 

In order to turn this characterisation of emptiness in terms of types into an 
effective algorithm for the emptiness problem the last missing step is to compute 
whether a given type is realised by some run of a given automaton. 

For this purpose, we equip the set of all sets of types with a product operation. 
Let A, T be sets of types of runs; a type {q, tt,p) is in S'-T if there are {q, tti, r) G S, 
(r, 7r2,p) G T and tuples u,v,w such that typ(^(it,i;) = tti, typ^(?;,z(;) = 7r2 and 
tyPc(M,zc) = TT. Let Ti denote the set of all types of runs of length 1 (of some 
fixed automaton A) and = UnGN(^i)"- induction on the length, one easily 
shows that every finite run r of A satisfies typ(r) G {Ti)~^. Conversely, for every 
type t G (T'i)+ there is also a run of A of type t. This is due to the fact that 
gap-insertion preserves types (Lemma [l^, —>■ is upwards compatible (Lemma 
and that trees of a given type ti with large gaps have, for all order types t, t2 with 
t G {ti} ■ {t2}, 8x1 extension to a tree witnessing this product. The necessary 
proofs are not very difficult but tedious and lengthy. 

We conclude that a type t is in (Ti)"'' if and only if t is the type of some run 
of A. Moreover, types of runs can be represented in polynomial space (in terms of 
the constants and the dimension of a given automaton) and the product of types 
can be computed in PSPACE. Thus, we can determine whether an automaton 
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A realises a type t by guessing types in Ti and computing an element of their 
product until it matches t. This proves the following proposition. 

Proposition 20. There is a PSPACF,-algorithm that, given a constraint 
automaton A and a type t, determines whether there is a run of A of type t. 

Together with Corollary we obtain an algorithm proving Theorem 

Proof (of Theorem^. By Corollary [I^ it suffices that the algorithm guesses a 
type (i, TT, /) and a noncontracting type (/, tt', /) such that i is an initial state, / 
is a final state, and the order type of the last elements of tt coincides with the 
order type of the first elements of tt', and then checks whether these types are 
realised by actual runs using the previous proposition. □ 
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A Proof of Proposition 

First we recall the proposition. 

Proposition 21 . There is a polynomial time algorithm that computes, on input 
a LTL({ :<,Q, S })-formula </> an equivalent LTL({ C, S '})-formula "0 such that 
tp does not contain terms of the form X^x with i > 2 . □ 

Proof. First, we can replace any occurrence of * X^y by * 

(Xi-™‘n(*o')y). Now assume that there is a subformula of the form X*x * y (the case 
X * X^y is symmetrical). Introducing fresh variables yo,yi,..., yi-i we replace this 
formula by the formula x * yi and add the conjunct G{yQ = 2/ A Aj=i Vj = ^ 2 /t-i) 
which is polynomial in i. Obviously, this replacement yields an equivalent formula. 
Iterating this process for all constraints, we obtain the desired formula tp. □ 

B Missing part of Theorem 

Let D = ({ 11 , 22 }* 12 , C) where C denotes the lexicographical order. 

Lemma 22 . D and (Q, <) are isomorphic. 

Proof. D is countable and does not have endpoints because (ll" 12 )„gN forms a 
strictly descending sequence such that any element of D is minorised by some 
element of the chain. Analogously, ( 22 ” 12 )„gN is a strictly increasing sequence 
majorising every element. Thus, it is left to show that C is a dense order. Let 
w,v G D with w Q V. Writing w = wiW2 .. .Wk with Wi G { 11 , 12 , 22 } and 

V = viV2 ...vi with Vi G { 11 , 12 , 22 } let i be minimal such that wt ^ Vi. If 

Vi = 12 then Wi = 11 and WiW2 . ■. Wi( 22 )l’"ll 2 is between w and v. If Vi = 22 
and Wi = 11 or Wi = 12 then w -< wiW2 ■.. ?i'i_i 22 (ll)l''l 12 ^ v. □ 

Definition 23 . For a some signature and a-structures 21 and 25 we say a homo¬ 
morphism h : 21 ^ is a cr-injection if it is injective and preserves the relations, 
functions and constants under preimages. 

Lemma 24 . Let h : (Q, <) —>■ D he an isomorphism. The extension g : Q* —>■ 
({ 11 , 22 }* 12 )*, given by g{qiq2...qn) = h{qi)h{q2) ... h{qn) is an {A,C}- 
injection o/Ttx, = (Q*,A,[I) into T2 = ({ 1,2 }* , ^, C). 

Proof. Note that g is injective: if w is in im(g), then the number of occurrences 
of 12 where 1 occurs at an odd position determines the length of every preimage 

V such that g(v) = w. It is then a routine check to prove uniqueness of v. 

We next show that g preserves A (in both directions). It is obvious from the 
definition that w < v implies g(w) A giv). Now assume that g{w) A giv). Due to 
the same argument as in the injectivity proof, this implies that w = W1W2 . ■. Wk, 

V = V1V2 . ■ .vi, k < I and h{wi) = h{vi) for every 1 < i < k. Since h is injective, 
it follows that Wi = Vi for all i < fc which implies w <v. 

Finally, we have to prove preservation of C. For rational numbers 91,(72 
we have qi < (72 iff h{qi) C h{q2). From this it easily follows that for words 
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w, w' S Q* w Q w' if and only if w ^ w' or w = viwi and w' = vjw2 for some 
V G Q* and some i < j if and only if g{w) ^ giw') or g{w) = g{v)h{i)g{wi) and 
g{w') = g{v)h{j)g{w2) with h{i) C h{j) if and only if g{w) Q giw'). □ 

C Missing Proofs Concerning <c 

In this section we prove Lemma Part is proved in Lemma Part in 
Lemma | 28 ] and Part | 3 ] in Lemma [23 

C.l Proof of Part 1 

Lemma 25. <c is a well-quasi order. 

Proof. Obviously, <c is a quasi order. 

Any infinite sequence of n-tuples of words induces an infinite sequence 

(a}*,C')igN- The latter has an infinite subsequence such that for all 

i,j G I typ(^(a}*) = typf;('u)'^). This implies that MCATc(w®) and MCATc(a;'’) 
are isomorphic for all f, j € / via an isomorphism (fij. 

For every i G I we define a map fi : MCATc(u;*)^ —>■ N by (a, a) i—> 
|a| — |an a|. Fix an ig G I and an enumeration of the domain of fig. This induces 
an enumeration of the domain of fi for every i G I hy letting (a, v) G dom(/i) be 
the A:-th element if i(j)i^igiu),(j)i^igiv)) is the fc-th element of domifig). 

By Dickson’s Lemma we find tuples {j < k) such that for all (a, a) G 

MCATc(a}-l) fki 4 >j,ki'u), 4 >j,kiv)) > fjiu,v). From this we immediately conclude 
that <c w^. □ 

C.2 Proof of Part 2 

We prepare the proof of strong upwards compatability of the transition relation 
by formally proving the following intuition: if MCAT(;7(a)') has larger gaps than 
MCATc(ai) (seen as subtrees of Q*), every extension of MCATc'(ai) to a bigger 
tree induces a corresponding extension of MCATc(a;') to a bigger tree of the 
same order type. 

Definition 26. For D, E, F sets with D <G E, we say h : E ^ E extends 
g-.D^Eifh \d= g. 

Lemma 27. Let cr = { ^, C, □ } and w, w' G Q* be tuples such that w <c w'. 
The isomorphism h : MCATc(a;) —> MCATc<(a;') extends to a a-injection f : 

Proof. In order to simplify the notation, we assume without loss of generality 
that C C w. We define a family of u-injections fj : Q-^ —>■ Too such that fj 
extends h I'm, where Mj = G MCATc(fo) | \w\ < }. Let /o : {e} —> 

{e}. Assume that fj has been defined and satisfies that for all a C u; and all 
u G 
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1. u ^ PI ■(; iff fj{u) :< 8.nd 

2. if M ^ then IPI^I - |w| < |/(nt^)l - \fjiu)\- 

For each word u € Q^, we define the values of fj+i on uQ according to the 
following rule. Let Vi,V 2 t ■ ■ ^ w he those subsets such that for each i there 

is some G Q with P|hi = uqi. We can assume that qi < q 2 < • • ■ < Qm- Note 
that the second condition on fj implies that fj{u) and /i(P|hi) have distance at 
least 1 whence there is some g- G Q such that /j(u)g' ^ h{\~\vi). We claim that 
for all fc, Z < TO we have qk < qi if and only if q'j^ < q'l- 

— If gfc = qi then uq^ ^ Pl^fe ^ P|h/ = P|(hfe U vi). Thus, there is some i such 
that PI hi = P|(hfe Uhi) and qi = qk = qi- Then fj{u)q[ ^ /i(P|hi) ^ Zi(P|hfe) 
and analogously for h/ whence q'i = q'k = q'l- 

— If gfc < qi then Phfe □ Ph; = u. Thus, u G MCATc(h;) and fj{u) = h{u) = 
Hrivk) n Zi(P|hz). Moreover, Pjhfc C P|h/ whence h{\~\vk) □ h{\~\vi). The 
only possibility to match both requirements is that < g[. 

Fixing isomorphisms gi:{gG(5|gi<g< gi+i }-t{gGQ|g'<g< g'+i } 
(with go = go = —oo and gm+i = gP+i = oo), we define for every g G Q 


fj+iiuq) = 


h{\~\vi) ifg = gi, 

fj{u)gi-i{q) otherwise, where gi G { gi, ..., qm, Qm+i } is minimal with g < qi. 


Assuming that fj preserves C, and □ in both directions, it is not difficult to 
prove the same result for fj+i- Thus, the limit of {fj)jefi is the desired cr-injection 
/• □ 


Proposition 28. 

<c. 


and 


are strongly upwards compatible with respect to 


Proof. Given fc-tuples w,v,w' and states q,p such that there is a transition 
{q,w) —>■ (p, h) and such that w <c w' we have to show that there is some 
V <c v' and a transition {q,w') —>■ {p,v'). 

Since w <c w' , the isomorphism h : MCATc('i(;) —>• MCATc(i(}') extends (by 

. Setting u' = h{vi) for each 

{P.v') 


Lemma 


271 to a { C, n }-injection h : 


Vi € V we obtain with v' = (uP ..., that (p, v) <c (p, v') and (g, w') 
as desired. 

The argument for —is completely analogous. 


□ 


C.3 Proof of Part 3 


Recall from Lemma 16 that insertion of an n-gap at some u which is not prefixed 
by a constant from C preserves the type and leads to a <c larger tuple. Iterated 
use of this lemma proves Part |^ of Lemma which we restate in the following 
lemma. 


Lemma 29. Given two configurations {q,w) and (g, u) such that typ(^(r(;) = 
tyPc(^) then there is a configuration {q,u) such that {q,w) <c {q,u) and 
(g,h) <c {q,u). 
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Proof. Let d S N be maximal such that there are Xi,X 2 € MCATc('ic) with 
Xi ^ X2 and \x2\ — |a;i| = d. Inductively, from the ^-maximal elements to e we 
insert a gap of size d at each y G MCATc(u) if y is not prefixed by a constant from 
C. All these iterated insertions result finally in a tuple u such that {q, v) <c {q, u) 
and for all zi,Z 2 G MCATc(u) such that zi ^ Z 2 and Z 2 is not prefix of any 
constant from C, then \z 2 \ — \zi\ > d. Thus, by definition of d also (g, w) <c {q, u) 
holds as desired. □ 


D Computation of Types 

The goal of this section is to prove Proposition i.e., to provide an algorithm 
that checks whether a given type is realised by one of the runs of a given 
T^-automaton. For this purpose we first fix an n-dimensional T^-constraint 
automaton A with state set Q. We equip the power set of all types with a product 
operation as follows. 

Definition 30. — Let Typs„ q denote the set of all types (g, 7r,p) where q,p G Q 

and TT = typQ{w,v) where w and v are n-tuples of words. 

— We equip the power set with a product • as follows. For t = 

{qi,TTi,pi),u = (g2,7r2,p2), v = (g3,7r3,p3) e Typs„_c’ let t G {u} • {a} 

if 

1 . gi = g2, Pi = P 3 , P2 = qa, and 

2. there are n-tuples x,y,z such that typ(^(a;,y) = 712 , typQ{y,z) = 713 and 

typc(^-^) = 7^1 • 

Generally, for A, B C Typs„ ^ such that at least one of them is not a singleton, 
we define A-B = {t-u\tG A, uGB}. 

— The set of types of one-step runs Ti C Typs,.^ q is given by t = (g,7r,p) G Ti 
if there is a transition {q,l3,p) of A such that tt satisfies /3. 

— Let Tf = Ti, Tf+i = TfTi, and T+ = U„>i Tf. 

Remark 31. One easily checks that t G Ti holds if and only if there is a run of 
length 1 with type t. 

The product operation resembles the composition of types. As a consequence 
one can connect the runs of A and as follows. 

Lemma 32. There is a run of A of type t if and only if t G T^ . 

Before we provide a proof, we show how this lemma can be used to prove 
which we restate here: 

Proposition 33. There is a PSPACF-algorithm that, given an n-dimensional 
constraint automaton A and a type t, determines whether there is a run of 
A of type t. 
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Proof. Writing m = max(|c| : c € C) the algorithm uses polynomial space in 


terms of m + n + |A||^Given n-tuples w and v, note that typ(;;('u), v) contains at 
most 4n elements that are not constants. Thus, we can represent any type by 2 
states and 2n words of length at most m + 4n. Moreover, It takes logarithmic 
space in n and |A| to check whether a given type satisfies a specific transition. 
Finally, it only needs 0{2n{m + (4n • 2n))) space to decide whether a given type 
t is in the product of two types ti , t 2 (cf. the upcoming Lemma 381. 

Thus, an NPSPACE ( = PSPACE) algorithm can guess a first type ti G Ti 
and, having stored a type G T^, it can guess another type t G Ti and a type 
A+i and verify that G { A } ■ {t}. This procedure is iterated until U is the 
desired type and the algorithm reports that U can be realised by some run. □ 


D.l Proof of Lemma 1321 

We finally have to prove the connection between composition of runs and products 
of their types. One direction is easily shown and contained in the following lemma. 

Lemma 34. For r = {ci)i<i<n a run (with n>2), typ(r) G Tf~^. 

Proof. For n = 2 the claim follows by definition of = Ti. We proceed 
by induction. Write Ci = {qi,w\,... ,wl.). Let r' = (ci)i<i<„_i and r„_i = 
(ci)„_i<i<„. By induction hypothesis typ(r') = (qi,7r, g„_i) G with 

TT = typc(ici, ..., Wfc,..., 

and typ(r„_i) = (gn.i, 7r„_i, g„) G Ti with 

7r„_i = typ<^('u;^"\ ..., ...,w'f). 

Thus, the tuples wl,..., w^, w(~^,..., tc ",. ■. witness that 

(gi,7r',(7„) := typ(r) G typ(/) • typ(r„_i) C ■ Ti = 

which completes the proof. □ 

The other direction of Lemma |32| relies on the following intuition. 

1. By upwards-compatability and gap-insertion every type realised by some run, 
is realised by one with large gaps between all pairs of elements except the 
constants. 

2. If two n-tuple w, v have 2n-gaps between all pairs of elements from MCATc(tc, v) 
except the constants, then for every type t G typ(;;('i(;, i;) • Ti there is a tuple 

u such that w, v, u witness this inclusion. 

3. Thus, assuming that all types from are realised by runs, for all t G 

j.n -1 ^ realise the appropriate type from with a run r that 

has large gaps at its last configuration and find a witness for t by realising 
the appropriate type from Ti using the values of the last configuration of r. 

Assuming any reasonable notion of size of an automaton. 
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Proving these intuitions is rather tedious and we give the details in the following. 
Recall that we assume that the set of constants C is closed under prefixes. Let 
us first make precise what a gap is. 

Definition 35. We say that a tree T C Q* has n-gaps above C if for all d,e G T 
with d < e such that e c for all c G C we have |e| — |d| > n. 

We can now give a precise version of the first claim. 

Lemma 36. Given a finite run r there is a run r' from c'l = (g, w') to C 2 = (p^ v') 
of the same type such that MCATc(tc^uO ‘^n-gaps above C. 

Proof. Let r be a run from {q,w) to {q,v) For each u G MCATc('ih, ii) (starting 
with ^-maximal ones) that is not a constant from C, we insert a gap of size 2n 
at u in r . Since gap insertion preserves types (Lemma |16| ), the resulting run r' 
from {q,w') to {p,v') is of the same type as r and MCATc(tc', h') has 2n-gaps 
above C. □ 

For the second claim we need a technical lemma first and then prove the 
second intuition to be correct. 

Lemma 37. Let cr = { ^, C,n }, n G N. Let A C Q* be some finite set closed 
under maximal common prefixes such that e G A. Let B C A and h : A ^ Too a 
a-injection such that h{A) has n-gaps above h{B). Given D C Q* such that 

1. |i:>\ A| < n, 

2. Du A is closed under maximal common prefixes, and 

3. there is no d G D and b G B such that d ^ b, 

then h extends to a a-injection ho '■ AU D ^ Too- 

Proof. The base case n = 0 is trivial. Assume that the lemma has been proven 
for some n G N. If |Z3 \ A| = n + 1, let d G D \ A be C-minimal. By induction 
hypothesis it suffices to extend /i to a u-injection h' : A U { d } —>■ Too that has 
n-gaps above h{B U { d}). We first define the image of d by a case distinction 
and prove that the resulting map h' has the desired properties. We distinguish 
two cases. 

1. Assume that there is some a G A such that d < a. Since e G A we find a 
maximal w G A such that w < d. Moreover, d = n{ aGA|dAa}is well 
defined and satisfies w < d. Thus, h{w) -< h{d) and there is a g G Q such that 
h(w)q < h{d). Let h' be the extension of h to AU {d} mapping /i'(d) = h{w)q 
and h'{a) = h{a) for all a G A. 

2 . Otherwise, there is no a G A with d < a. Let again w G A be maximal with 
w ^ d and let qd G Q such that wqd A d. For later use we first establish that 

there is no a G A with wqd A o- (1) 

Assuming the contrary let wqd A o,. Since A U D is closed under maximal 
common prefixes, we conclude that wqd A (a □ d) G A U D. (a □ d) G A 
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contradicts the maximality of w. But due to C-minimality of d, (and) G D\ A 
is only possible if d = a n d which implies d < a which contradicts our 
assumption on d. 

We define a partition of{aGA|r(;^a}by setting 

A~ = {a & A\w < a and a C d } and 
= { a e A I w < a and d C a } . 

If A~ ^ 0 let oT be its C-maximal element. Since h preserves there is some 
G Q such that h{w)q~ ^ h{a~). If A~ — 0 set q~ = —oo. Analogously, if 
A+ ^ 0 let aA be its C-minimal element. Since h preserves there is some 
g"*" G Q such that h{w)q~^ ^ h{a'^). If A~ = 0 set g+ = oo. 

If a~ and a~^ are both defined, we conclude with 0 that there are qi < qa < 52 
such that wqi ^ a~ and wq 2 A a’*'. Since d is a cr-injection, we directly 
conclude that q~ < q~^. 

Choose q G (g“, g+) arbitrarily and define the map h' : A U { d} —> Too by 
h'{a) = h{a) for all a G A and h'{d) = h{w)q. 

We prepare the proof that h! is a tr-injection by establishing that 

for all p G {q~ ,q'^) there is no a G A such that h{w)p ^ h{a). (2) 

Heading for a contradiction assume that there was such a and note that 
h{a~) C h{a) C h{a^) and h{w) -< h{a). This would imply a~ \Z a \Z and 
w < a. But this clearly contradicts the definitions of a~ and as maximal 
below d (minimal above d, respectively). 

We claim that the resulting map h' is a cr-injection. 

Injectivity: Heading for a contradiction, assume that there is an a G A with 
h[a) = h{w)q then hiw) -< h{a) which implies w ^ a. But then either w ^ a ^ d 
violates the choice of ru or d ^ a. In the latter case the third condition on D 
implies that there is no 6 G H with a <b. But then hiw) and h{a) need to have 
an (n -|- l)-gap which is not the case. Thus, we have arrived at a contradiction 
and conclude that there is no a G A with h{a) = h(w)q whence h' is injective. 
Preservation of A: We show that h' preserves ^ in both directions. Choose 
some a G A. 

— If a ^ d then by choice of w we have a <w whence h'{a) = h{a) ^ h{w) < 
h'{d). 

— If h'{a) = h{a) ^ h'{d) = h{w)q, then h{a) ^ h{w) because d' is injective. 
Thus, a ^ w ^ d as desired. 

— If d ^ a we are in case one of the definition of h'. Thus, d ^ a whence by 
definition d'(d) ^ d(d) ^ h{a) = h'{a). 

— If h'{d) = h{w)q ^ d(a), we conclude with ([^ that we are in case one 
of the definition of h'. Thus, h(w)q ^ d(d) ^ h{a) implies that h{w)q ^ 
h{a) n h{d) = h{a □ d). Since d is a cr-injection, it follows that w ^ ar\d <d. 
Since d ^ d, we obtain that a □ d and d are comparable. By maximality of w, 
we conclude d ^ (a □ d) ^ a. 
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Preservation of C: Due to the ^ preservation, it suffices to prove preservation 
of C n Again choose some o G A. 

— Assume that a Q d and a d. If a Q w we immediately conclude that 
h'{a) = h{a) C h{w) C h{w)q = h'{d). Otherwise, one immediately concludes 
that dr\ a = w. 

1. If h' has been defined in case one, we immediately conclude arid = w 
and a C a whence h{a) □ h{d) = h{a □ a) = h{w) and h{a) C h{d). Since 
h{w) h'{d) ^ h{d), it follows that that h'{a) = h{a) h{w). 

2. Otherwise, h' has been defined in the second case and we conclude that 
a G A~ whence a Q a~. This implies that h'{a) = h{a) C h{a~) C 
h{w)q = h'{d). 

— Assume that d 'Q a and d a. First assume that w a. Then dr\ a = 
wr\ a ^ w whence w Q a. Since is a cr-injection, we obtain h{w) C h{a), 
and h{w) □ h{a) = h{w □ a) ^ h{w). Thus, h{w) ^ h'{d) directly implies 
h'{d) O h{a) = h{a'). Otherwise, we have w < a. Since d O a we conclude 
that w ^ a. 

1. If h' has been defined in case one, d a, w ^ a and maximality of w 
imply that r(; = dna = dna. Since d and d are on a common path, we also 
have d C a. Thus, h{w) = h{d □ a) = h{d) □ h{a) and h{d) C h{a). Since 
h'{d) and h(a) are on a common path, we obtain h'{d) 'Q h(a) = h'(a). 

2. Otherwise, h' has been defined in case two. Then w ^ a and d Q a imply 
a+ C a. We conclude by choice of q that h'{d) = h{w)q C /i'(a+) C h{a). 

Since C is a total order, the backwards preservation of C follows directly from 
the forward preservation: assume h'(x) C h'{y), then forwards preservation 
and injectivity rules out the case y \Z x, whence x 'Qy because C is total. 

Preservation of □: Finally, note that h' preserves □ in both directions. Let 
a G A. If a and d are comparable, the claim follows from the preservation 
of Otherwise, if a and d are incomparable (with respect to ^), then we 
conclude a □ d G A whence a □ d = a □ w. But then also h'{a) and h'{d) are 
incomparable whence h'(a) n h'{d) ^ h'iw) whence by definition of h'{d) we have 
d'(a)n/i'(d) = h' {a)nh' [vS] = h{a)nh(w) = h{anw) = h'[aUw) = /i'(and). □ 

Lemma 38. Let w, v be n-tuples and t = {q, tt, r),ti = (q, '^i,p), ^2 = (p, '^ 2 , 1 ") S 
Typs„ such that typ^(ui,d) = tti, and MCATc(u’,d) has {2n)-gaps above C. 
There is an n-tuple u such that typ(;;(d,d) = 7T2 and typQ{w,u) = tt. 

Proof. By definition of the product, there are /c-tuples x, y, z such that typ^^x, y) = 
’’’i) tyPc(y) = ’’’2 and typQ^x, z) = tt. Fix the isomorphism h : MCATc(ai, y) —>■ 
MCATc(d;,d). One shows by induction on n that if MCATc’(a:,y) has ni G N 
many leaves and ^2 G N many inner nodes then MCATc(a;, y) has at most ni + n 
leaves and n 2 + n inner nodes whence |MCATc(a;, y, z) \ MCATc(ai, j/)| < 2n. 
Thus, h extends by Lemma (setting A = MCATc(a;, y), B = C, D = 

MCATc(a;, y, d) \ MCATc(a;, y), and seeing h as an injection A — Too) to 
a { A,E,n }-injection h : MCATc(a;, y, z) —)• Too (which is the identity on all 
all constants from C) such that for u = h{z), typ^('u;,d,ft) = typQ{x,y,z). In 
particular, typ(o(d,d) = 7T2 and typ(o(d;,d) = tt as desired. □ 
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Now we are prepared to prove the last direction of Lemma |32| 


Lemma 39. For every t S there is a run r of A with typ(r) = t. 


Proof. As remarked before, for t G Tf = Ti there is nothing to show. Let 
r S and assume the claim is true for all t G Tf. Let t G ti ■ t 2 with 

ti G Tf and ^2 G Ti and let r' be a run of type ti. Let cq = {q, w) be the first 


and Cl = {p,v) the last configuration of r'. By Lemma 36 we can assume that 


MCATc(u;,i;) has 2n-gaps. Thus, by Lemma [3^ there is tuple u and a state q' 
such that {p,typQ{v,u),q') = t 2 and (g, typ^(ui, u), g') = t. Thus, extending r' 
by configuration (g',u) results in the desired run r. □ 
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